The FTC Is Now the Nation’s Most Formidable Privacy Enforcer

While businesses and consumers await a national privacy law (that may or may not ever be enacted), and while states across the country have passed their own (and at times inconsistent) privacy statutes, one powerful force remains regularly active in this area: the Federal Trade Commission (FTC).

In July, Kristin Cohen, the acting associate director of the FTC’s Division of Privacy and Identity Protection, explained that the agency is “committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” such as location, health and other sensitive information. She observed that sensitive data is protected by numerous federal and state laws, including Section 5 of the FTC Act, and that claims that data is “anonymous” or “has been anonymized” “are often deceptive.” She expressed concern that smartphones, connected cars, wearable fitness trackers, “smart home” products and browsers “are capable of directly observing or deriving sensitive information about users,” and that when consumers use their connected devices – and sometimes even when they do not – these devices “may be regularly pinging cell towers, interacting with WiFi networks, capturing GPS signals, and otherwise creating a comprehensive record of their whereabouts.” This location data “can reveal a lot about people, including where we work, sleep, socialize, worship, and seek medical treatment.”

Acting Associate Director Cohen concluded that the FTC will use “the full scope of its legal authorities to protect consumers’ privacy” and that it “will vigorously enforce the law” if it uncovers “illegal conduct that exploits Americans’ location, health, or other sensitive data.” See https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal.

Her words have the force of action behind them. The FTC has brought hundreds of cases intended to protect the security and privacy of consumers’ personal information, some of which have resulted in substantial civil penalties.

Consider, for example, that ad exchange OpenX recently paid $2 million to settle FTC allegations that it collected children’s location data without parental consent. See https://www.ftc.gov/news-events/news/press-releases/2021/12/advertising-platform-openx-will-pay-2-million-collecting-personal-information-children-violation.

The agency also recently took action against Kurbo/Weight Watchers for allegedly, among other things, indefinitely retaining sensitive consumer data. The parties reached a settlement that required the company to pay a $1.5 million fine to settle the FTC’s contention that it violated the Children’s Online Privacy Protection Act (COPPA), delete all collected data that the FTC asserted that the company had collected illegally, and also delete any work product algorithms created using that data. See https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive.

Earlier this summer, the FTC entered a final order requiring CafePress to pay $500,000 and to minimize its data collection because, according to the FTC, the company improperly collected and retained consumer data and failed to respect consumers’ deletion requests, among other things. See https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-finalizes-action-against-cafepress-covering-data-breach-lax-security-0.

Then, in late August, the FTC filed a lawsuit against data broker Kochava Inc. in which it alleged that Kochava sold geolocation data from hundreds of millions of mobile devices that could be used to trace the movements of individuals to and from what the FTC characterized as “sensitive locations.” In particular, according to the agency, Kochava’s data could reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters and addiction recovery facilities. The FTC alleged that, by selling data tracking people, Kochava was enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss and even physical violence. The FTC is seeking to halt Kochava’s sale of such sensitive geolocation data and to require the company to delete the sensitive geolocation information it has collected. See https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other.

The FTC’s track record and ability and willingness to act on privacy issues undoubtedly was one reason that led four members of Congress (Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) and Representatives Kathy Castor (FL-14) and Lori Trahan (MA-03)) to write to FTC Chair Lina Khan at the end of September. In their letter, the members of Congress applauded the agency’s efforts “to implement strong privacy safeguards” – and urged it to update its COPPA regulations. The letter acknowledged “Congress’ responsibility to pass strong legislation with protections for young users,” but did not seem hopeful that Congress indeed would act. See https://www.markey.senate.gov/imo/media/doc/lawmakers_letter_to_ftc_on_youth_online_privacy.pdf. In that regard, it is worth noting that, for example, the “Social Media Privacy Protection and Consumer Rights Act of 2021” that Senator Amy Klobuchar (D-Minn) introduced on May 18, 2021, which would require online platform operators to inform a user, prior to a user creating an account or otherwise using the platform, that the user’s personal data produced during online behavior will be collected and used by the operator and third parties, has not moved forward. See https://www.congress.gov/bill/117th-congress/senate-bill/1667?q=%7B%22search%22%3A%5B%22Social+Media+Privacy+Protection+and+Consumer+Rights+Act%22%5D%7D&s=1&r=1.

By contrast, the FTC has been quite busy.

Strategic Plan

About two months ago, on August 26, the FTC released its strategic plan for fiscal years 2022-2026, setting its priorities for these years. Its very first strategic goal – protecting the public from unfair or deceptive acts or practices in the marketplace – includes investigating and litigating conduct “that causes or is likely to cause substantial injury to the public.” According to the FTC, this encompasses “privacy risks.”

The agency stated that it will meet this goal by, among other things, “safeguarding consumer privacy.” See https://www.ftc.gov/system/files/ftc_gov/pdf/fy-2022-2026-ftc-strategic-plan.pdf.

Proposing Rules

Also in August, the FTC announced that it is exploring whether to propose rules regarding commercial surveillance and data security. In its announcement, the FTC explained that commercial surveillance is the business of collecting, analyzing, and profiting from information about people and that mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation and other abuses. In the opinion of the FTC, the business of commercial surveillance can incentivize companies to collect vast troves of consumer information, only a small fraction of which consumers proactively share. Companies reportedly surveil consumers while they are connected to the internet – every aspect of their online activity, their family and friend networks, browsing and purchase histories, location and physical movements, and a wide range of other personal details.

According to the FTC’s Advance Notice of Proposed Rulemaking (ANPR), companies use algorithms and automated systems to analyze the information they collect, and they make money by selling information through the market for consumer data, using it to place behavioral ads, or leveraging it to sell more products.

The FTC is seeking comments, which it must receive on or before October 21, 2022, on what it refers to as “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” See https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices.

The agency held a public forum on September 8 regarding the ANPR. FTC Chair Khan’s remarks at the forum are noteworthy. She observed that there was “significant interest” in the forum, which she said underscored “how critical and urgent these issues are to people’s lives today.” Chair Khan acknowledged that modern digital tools “can deliver huge conveniences,” but she added that these tools and the business models that underlie them “can be used to track and surveil individuals in entirely new ways.”

Chair Khan added that companies “are collecting data on where we go, what we read, who we meet, and what we buy.” Moreover, she continued, the “huge amounts of data that are being collected and stored has coincided with a growing number of data leaks and hacks – security vulnerabilities that can leave people’s sensitive information exposed, leading them to lose money, have their identity stolen, or face discrimination or other types of harm.”

Significantly, Chair Kahn then declared that, with the rulemaking proceeding, the FTC is “seeking to determine whether certain unfair or deceptive data practices may now be so prevalent that we need to move beyond case-by-case adjudication and instead have market-wide rules.”

“Stealth Advertising”

On October 19, the FTC is scheduled to hold host a virtual event on “Protecting Kids from Stealth Advertising in Digital Media.” Participants include researchers, child development and legal experts, consumer advocates, and industry professionals who will examine the techniques being used to advertise to children online – in all the various digital spaces children frequent – and what measures should be implemented to protect children from manipulative advertising. Specific topics are expected to include:

• Children’s capacity at different ages and developmental stages to recognize and understand advertising content and distinguish it from other content;
• The harms to children resulting from the inability of children to recognize advertising;
• What measures should be taken to protect children from blurred content in digital marketing; and
• The need for and efficacy of disclosures as a solution for children of different ages, including the format, timing, placement, wording, and frequency of disclosures.

Interestingly, in conjunction with the event, the FTC is seeking public comment on “how children are affected by digital advertising and marketing messages that may blur the line between ads and entertainment.” The FTC is accepting comments until November 18, 2022.

Conclusion

The FTC’s actions in recent months demonstrate its continuing strong interest in privacy issues. The FTC clearly is not resting on the steps it has taken in the past, but also is looking at new technologies and the new concerns they might raise (see, e.g., “FTC Report Warns About Using Artificial Intelligence to Combat Online Problems,” available at https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-report-warns-about-using-artificial-intelligence-combat-online-problems). Businesses should pay particular attention to all existing laws and regulations, and to actions that the FTC is poised to take in the near future, including any new rules that the FTC proposes following the ANPR discussed above.

Reprinted with permission from the October 17, 2022, issue of the New York Law Journal^©, ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.